Hacking Web Apps: Detecting and Preventing Web Application Security Problems (2012)
Information in this chapter:
• Book Overview and Key Learning Points
• Book Audience
• How this Book is Organized
• Where to Go From Here
Pick your favorite cliche or metaphor you’ve heard regarding The Web. The aphorism might generically describe Web security or evoke a mental image of the threats faced by and emanating from Web sites. This book attempts to illuminate the vagaries of Web security by tackling eight groups of security weaknesses and vulnerabilities most commonly exploited by hackers. Some of the attacks will sound very familiar. Other attacks may be unexpected, or seem unfamiliar simply because they neither adorn a top 10 list nor make headlines. Attackers might go for the lowest common denominator, which is why vulnerabilities like cross-site scripting and SQL injection garner so much attention—they have an unfortunate combination of pervasiveness and ease of exploitation. Determined attackers might target ambiguities in the design of a site’s workflows or assumptions—exploits that result in significant financial gain that may be specific to one site only, but leave few of the tell-tale signs of compromise that more brutish attacks like SQL injection do.
On the Web information equals money. Credit cards clearly have value to hackers; underground “carder” sites have popped up that deal in stolen cards; complete with forums, user feedback, and seller ratings. Yet our personal information, passwords, email accounts, on-line game accounts, and so forth all have value to the right buyer, let alone the value we personally place in keeping such things private. Consider the murky realms of economic espionage and state-sponsored network attacks that have popular attention and grand claims, but a scarcity of reliable public information. (Not that it matters to Web security that “cyberwar” exists or not; on that topic we care more about WarGames and Wintermute for this book.) It’s possible to map just about any scam, cheat, trick, ruse, and other synonyms from real-world conflict between people, companies, and countries to an analogous attack executed on the Web. There’s no lack of motivation for trying to gain illicit access to the wealth of information on the Web, whether for glory, country, money, or sheer curiosity.
Book Overview and Key Learning Points
Each of the chapters in this book presents examples of different hacks against Web applications. The methodology behind the attack is explored as well as showing its potential impact. An impact may be against a site’s security, or a user’s privacy. A hack may not even care about compromising a Web server, instead turning its focus on the browser. Web security impacts applications and browsers alike. After all, that’s where the information is.
Then the chapter moves on to explain possible countermeasures for different aspects of the attack. Countermeasures are a tricky beast. It’s important to understand how an attack works before designing a good defense. It’s equally important to understand the limitations of a countermeasure and how other vulnerabilities might entirely bypass it. Security is an emergent property of the Web site; it’s not a summation of individual protections. Some countermeasures will show up several times, others make only a brief appearance.
Anyone who uses the Web to check email, shop, or work will benefit from knowing how the personal information on those sites might be compromised or how sites harbor malicious content. The greatest security burden lies with a site’s developers. Users have their own part to play, too. Especially in terms of maintaining an up-to-date browser, being careful with passwords, and being wary of non-technical attacks like social engineering.
Web application developers and security professionals will benefit from the technical details and methodology behind the Web attacks covered in this book. The first steps to improving a site’s security are understanding the threats to an application and poor programming practices lead to security weaknesses that lead to vulnerabilities that lead to millions of passwords being pilfered from an unencrypted data store. Plus, several chapters dive into effective countermeasures independent of the programming languages or technologies underpinning a specific site.
Executive level management will benefit from understanding the threats to a Web site and in many cases how a simple hack—requiring no more tools than a browser and a brain—negatively impacts a site and its users. It should also illustrate that even though many attacks are simple to execute, good countermeasures require time and resources to implement properly. These points should provide strong arguments for allocating funding and resources to a site’s security in order to protect the wealth of information that Web sites manage.
This book assumes some basic familiarity with the Web. Web security attacks manipulate HTTP traffic to inject payloads or take advantage of deficiencies in the protocol. They also require understanding HTML in order to manipulate forms or inject code that puts the browser at the mercy of the attacker. This isn’t a prerequisite for understanding the broad strokes of a hack or learning how hackers compromise a site. For example, it’s good to start off with the familiarity that HTTP uses port 80 by default for unencrypted traffic and port 443 for traffic encrypted with the Secure Sockets Layer/Transport Layer Security (SSL/TLS). Sites use the https:// scheme to designate TLS connections. Additional details are necessary for developers and security professionals who wish to venture deeper into the methodology of attacks and defense. The book strives to present accurate information. It does not strive for exacting adherence to nuances of terminology. Terms like URL and link are often used interchangeably, as are Web site and Web application. Hopefully, hacking concepts and countermeasure descriptions are clear enough that casual references to HTML tags and HTML elements don’t irk those used to reading standards and specifications. We’re here to hack and have fun.
Readers already familiar with basic Web concepts can skip the next two sections.
The Modern Browser
There are few references to specific browser versions in this book. The primary reason is that most attacks work with standard HTML or against server-side technologies to which the browser is agnostic. Buffer overflows and malware care about specific browser versions, hacks against Web sites rarely do. Another reason is that browser developers have largely adopted a self-updating process or at least very fast release process. This means that browsers stay up to date more often, a positive security trend for users. Finally, as we’ll discover in Chapter 1, HTML5 is still an emerging standard. In this book, a “modern browser” is any browser or rendering engine (remember, HTML can be accessed by all sorts of devices) that supports some aspect of HTML5. It’s safe to say that, as you read this, if your browser has been updated within the last 2 months, then it’s a modern browser. It’s probably true that if the browser is even a year old it counts as a modern browser. If it’s more than a year old, set the book down and go install the security updates that have been languishing in uselessness for you all this time. You’ll be better off for it.
Gone are the days when Web applications had to be developed with one browser in mind due to market share or reliance on rendering quirks. It’s a commendable feat of engineering and standards (networking, HTTP, HTML, etc.) that “dead” browsers like Internet Explorer 6 still render a vast majority of today’s Web sites. However, these relics of the past have no excuse for being in use today. If Microsoft wants IE6 to disappear, there’s no reason a Web site should be willing to support it—in fact, it would be a bold step to actively deny access to older browsers for sites whose content and use requires a high degree of security and privacy protections.
One Origin to Rule them all
The Same Origin Policy (SOP) is a fundamental security border with the browser. The abilities and visibility of content are restricted to the origin that initially loaded the resource. Unlike low-budget horror movie demons who come from one origin to wreak havoc on another, a browsing context is supposed to be restricted to the origin from whence it came. An origin is the combination of the scheme, host, and port used to retrieve the resource for the browsing context. We’ll revisit SOP several times, beginning with HTML5’s relaxations to it in Chapter 1.
This book is far too short to cover ancillary topics in detail. Several attacks and countermeasures dip into subjects like cryptography with references to hashes, salts, symmetric encryption, and random numbers. Other sections venture into ideas about data structures, encoding, and algorithms. Sprinkled elsewhere are references to regular expressions. (And, of course, you’ll run into a handful of pop culture references—any hacking tract requires them.) The concepts should be described clearly enough to show how they relate to a hack or countermeasure even if this is your first introduction to them. Some suggested reading has been provided where more background knowledge is helpful. This book should lead to more curiosity about such topics. A good security practitioner or Web developer is conversant on a broad range of topics even if some of their deeper mathematical or theoretical details remain obscure.
The most important security tool for this book is the Web browser. Quite often it’s the only tool necessary to attack a Web site. Web application exploits run the technical gamut of complex buffer overflows to single-character manipulations of the URI. The second most important tool in the Web security arsenal is a tool for sending raw HTTP requests. The following tools make excellent additions to the browser.
Netcat is the ancient ancestor of network security tools. It performs one basic function: open a network socket. The power of the command comes from the ability to send anything into the socket and capture the response. It is present by default on most Linux systems and OS X, often as the nc command. Its simplest use for Web security is as follows:
echo -e “GET/HTTP/1.0”|netcat -v mad.scientists.lab 80
Netcat has one failing for Web security tests: it doesn’t support SSL. Conveniently, the OpenSSL command provides the same functionality with only minor changes to the command line. An example follows:
echo -e “GET/HTTP/1.0”|openssl s_client -quiet -connect mad.scientists.lab:443
Local proxies provide a more user-friendly approach to Web security assessment that command line tools. The command line serves well for automation, but the proxy is most useful for picking apart a Web site and understanding what goes on behind the scenes of a Web request. Appendix A provides some brief notes on additional tools.
Risks, Threats, Weaknesses, Vulnerabilities, Exploits—Oh, My!
A certain group of readers may notice that this book studiously avoids rating the hacks it covers. Like Napoleon and Snowball in Animal Farm, some Web vulnerabilities are more equal than others. Concepts like risk, impact, and threat require more information about the context and environment of a Web application than can be addressed here.
Threats might be hackers, Anonymous (with a capital A), criminal enterprises, tsunamis, disk failures, tripping over power cords, disgruntled coders, or anything else with the potential to negatively affect your site. They represent actors—who or what that acts upon your site.
An evocative description of security is Dan Geer’s succinct phrase, “…the absence of unmitigatable surprise.”1 From there, risk might be considered in terms of the ability to expect, detect, and defend something. Risk is influenced by threats, but it’s also influenced by the value you associate with a Web site or the information being protected. It’s also influenced by how secure you think the Web site is now. Or how easy it will be to recover if the site is hacked. Many of these are hard to measure.
If a vulnerability exists in your Web site, then it’s a bug. Threats may be an opportunistic hacker or an advanced, persistent person. Risk may be high or low by your measurements. The risk may be different, whether it’s used to inject an iframe that points to malware or used to backdoor the site to steal users’ credentials. In any case, it’s probably a good idea to fix the vulnerability. It’s usually easier to fix a bug than it is to define the different threats that would exploit it. In fact, if bugs (security-related or not) are hard to fix, then that’s an indication of higher risk right there.
The avoidance of vulnerability ratings isn’t meant to be dismissive of the concept. Threat modeling is an excellent tool for thinking through potential security problems or attacks against a Web site. The OWASP site summarizes different approaches to crafting these models,https://www.owasp.org/index.php/Threat_Risk_Modeling. A good threat-oriented reference is Microsoft’s STRIDE (http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx). At the opposite end of the spectrum is the Common Weakness Enumeration (http://cwe.mitre.org/) that lists the kinds of programming errors targeted by threats.
How This Book is Organized
This book contains eight chapters that describe hacks against Web sites and browsers alike. Each chapter provides examples of hacks used against real sites. Then it explores the details of how the exploits work. The chapters don’t need to be tackled in order. Many attacks are related or combine in ways that make certain countermeasures ineffective. That’s why it’s important to understand different aspects of Web security, especially the point that Web security includes the browser as well as the site.
Chapter 1: HTML5
A new standard means new vulnerabilities. It also means new ways to exploit old vulnerabilities. This chapter introduces some of the major APIs and features of the forthcoming HTML5 standard. HTML5 may not be official, but it’s in your browser now and being used by Web sites. And it has implications not only for security, but for the privacy of your information as well.
Chapter 2: HTML Injection and Cross-Site Scripting
This chapter describes one of the most pervasive and easily exploited vulnerabilities that crop up in Web sites. XSS vulnerabilities are like the cockroaches of the Web, always lurking in unexpected corners of a site regardless of its size, popularity, or sophistication of its security team. This chapter shows how one of the most prolific vulnerabilities on the Web is exploited with nothing more than a browser and basic knowledge of HTML. It also shows how the tight coupling between the Web site and the Web browser is a fragile relationship in terms of security.
Chapter 3: Cross-Site Request Forgery
Chapter 3 continues the idea of vulnerabilities that target Web sites and Web browsers. CSRF attacks fool a victim’s browser into making requests that the user didn’t intend. These attacks are subtle and difficult to block. After all, every Web page is technically vulnerable to CSRF by default.
Chapter 4: SQL Injection and Data Store Manipulation
The next chapter shifts focus squarely onto the Web application and the database that drives it. SQL injection attacks are most commonly known as the source of credit card theft. This chapter explains how many other exploits are possible with this simple vulnerability. It also shows that the countermeasures are relatively easy and simple to implement compared to the high impact successful attacks carry. And even if your site doesn’t have a SQL database it may still be vulnerable to SQL-like data injection, command injection, and similar hacks.
Chapter 5: Breaking Authentication Schemes
Chapter 5 covers one of the oldest attacks in computer security: brute force password guessing against the login prompt. Yet brute force attacks aren’t the only way that a site’s authentication scheme falls apart. This chapter covers alternate attack vectors and the countermeasures that will—and will not—protect the site.
Chapter 6: Abusing Design Deficiencies
Chapter 6 covers a more interesting type of attack that blurs the line between technical prowess and basic curiosity. Attacks that target a site’s business logic vary as much as Web sites do, but many have common techniques or target poor site designs in ways that can lead to direct financial gain for the attacker. This chapter talks about the site is put together as a whole, how attackers try to find loopholes for their personal benefit, and what developers can do when faced with a problem that doesn’t have an easy programming checklist.
Chapter 7: Leveraging Platform Weaknesses
Even the most securely coded Web site can be crippled by a poor configuration setting. This chapter explains how server administrators might make mistakes that expose the Web site to attack. The chapter also covers how the site’s developers might also leave footholds for attackers by creating areas of the site where security is based more on assumption and obscurity than well-thought-out measures.
Chapter 8: Web of Distrust
The final chapter brings Web security back to the browser. It covers the ways in which malicious software, malware, has been growing as a threat on the Web. The chapter also describes ways that users can protect themselves when the site’s security is out of their hands.
Where to Go From Here
Nothing beats hands-on experience for learning new security techniques or refining old ones. This book provides examples and descriptions of the methodology for finding—and preventing—vulnerabilities. One of the best ways to reinforce the knowledge from this book is by applying it against real-Web applications. It’s unethical and usually illegal to start blindly flailing away at a random Web site of your choice. However, the security mindset is slowly changing on this front. Google offers cash rewards for responsible testing of certain of its Web properties.2 Twitter also treats responsible testing fairly.3 Neither of these examples imply a carte blanche for hacking, especially hacks that steal information or invade the privacy of others. However, you’d be hard pressed to find more sophisticated sites that welcome feedback and vulnerability reports.
There are training sites like Google’s Gruyere (http://google-gruyere.appspot.com/), OWASP’s WebGoat (https://www.owasp.org/index.php/Webgoat), and DVWA (http://www.dvwa.co.uk/). Better yet, scour sites like SourceForge (http://www.sf.net/), Google Code (http://code.google.com/), and GitHub (https://github.com/) for Open Source Web applications. Download and install a few or a few dozen. The effort of deploying a Web site (and fixing bugs or tweaking settings to get them installed) builds experience with real-world Web site concepts, programming patterns, and system administration. Those foundations are more important to understanding security that route adherence to a hacking checklist. After you’ve struggled with installing a PHP, Python, .NET, Ruby, Web application start looking for vulnerabilities. Maybe it has a SQL injection problem or doesn’t filter POST data to prevent cross-site scripting. Don’t always go for the latest release of a Web application; look for older versions that have bugs fixed in the latest version. It’s just as instructive to compare difference between versions to understand how countermeasures are applied—or misapplied in some cases.
The multitude of mobile apps and astonishing valuation of Web companies ensures that Web security will remain relevant for a long time to come. Be sure to check out the accompanying Web site for this book, http://deadliestwebattacks.com/, for coding examples, opinions on- or off-topic, hacks in the news, new techniques, and updates to this content.